PMASA-2013-10
Announcement-ID: PMASA-2013-10
Date: 2013-08-04
Updated: 2013-08-05
Summary
ClickJacking protection can be bypassed.
Description
phpMyAdmin has a number of mechanisms to avoid a clickjacking attack, however these mechanisms either work only in modern browser versions, or can be bypassed.
Severity
We consider this vulnerability serious.
Affected Versions
Versions 3.5.x and 4.0.x (prior to 4.0.5) are affected.
Solution
Upgrade to phpMyAdmin 4.0.5 or newer or apply the patches listed below. We have no solution for 3.5.x, due to the proposed solution requiring JavaScript. We don't want to introduce a dependency to JavaScript in the 3.5.x family.
References
Thanks to Emanuel Bronshtein for reporting this issue. For more details, please refer to this report.
Assigned CVE IDs: CVE-2013-5029
Patches
The following commits have been made to fix this issue:
- 240b8332db53dedc27baeec5306dabad3bdece3b
- 24d0eb55203b029f250c77d63f2900ffbe099e8b
- 66fe475d4f51b1761719cb0cab360748800373f7
- da4042fb6c4365dc8187765c3bf525043687c66f
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.